Transport Layer Security (TLS) Enhancements
Per-Host TLS Configuration with SNI Support
We're excited to introduce Server Name Indication (SNI) TLS configuration, enabling you to configure TLS settings for individual host domains in addition to the default TLS configuration. This provides flexibility and security for multi-tenant deployments and environments with diverse certificate requirements.
What's New
Before this release:
Only a single default TLS configuration could be set for the Orchestrator HTTP server
All incoming requests used the same TLS certificate and settings regardless of the hostname
After this release:
Configure a default TLS configuration for fallback scenarios
Define host-specific TLS configurations using Server Name Indication (SNI) for inbound requests
Each host domain can have its own TLS certificate, minimum version, cipher suites, and mTLS settings
The Orchestrator automatically matches incoming requests to the correct TLS configuration based on the SNI value in the TLS handshake
Note: SNI TLS configuration applies to inbound requests (clients connecting to the Orchestrator). For outbound requests (Orchestrator connecting to upstream applications), the Orchestrator supports proxy applications using their own TLS configuration settings. This is not yet available for configuration in the Maverics Console but is coming soon.
Key Benefits
Multi-Domain Support: Serve multiple domains from a single Orchestrator instance, each with its own TLS certificate
Security: Apply different security policies (TLS versions, cipher suites, mTLS) per domain based on your requirements
Certificate Management: Use different certificate authorities or certificate types for different domains
Flexible Deployment: Support diverse application requirements without deploying multiple Orchestrator instances
UI Configuration
.png?sv=2022-11-02&spr=https&st=2025-12-11T10%3A08%3A05Z&se=2025-12-11T10%3A20%3A05Z&sr=c&sp=r&sig=u%2FmyuFlNNJKPGl2PGxunxMl1RoZfghU9ZEl0bNRQWII%3D)
.png?sv=2022-11-02&spr=https&st=2025-12-11T10%3A08%3A05Z&se=2025-12-11T10%3A20%3A05Z&sr=c&sp=r&sig=u%2FmyuFlNNJKPGl2PGxunxMl1RoZfghU9ZEl0bNRQWII%3D)
The Maverics Console provides an interface for managing SNI TLS configurations. This can be found in the Deployment Manager:
Add TLS Configuration: Create new TLS configurations with custom certificates, minimum versions, cipher suites, and mutual TLS (mTLS) settings
Host Management: Configure multiple host entries with their associated TLS configurations
Default Configuration: Set and modify the default TLS configuration that applies when no SNI match is found
For example, you might configure:
Standard TLS for public-facing applications (e.g.,
app.example.com)Strict mTLS with client certificate verification for internal APIs (e.g.,
api.internal.example.com)Request client certificates for administrative interfaces (e.g.,
admin.example.com)
Proxy Application Integration
SNI TLS configurations work with proxy applications, enabling routing and security policies:
Route Pattern Matching: When configuring proxy applications, you can specify route patterns that include hostnames (e.g.,
canary.orchestrator-host.com). The Orchestrator uses the SNI value from incoming requests to match both the route pattern and the appropriate TLS configuration.Automatic TLS Selection: When a client connects to a proxy application, the Orchestrator:
Extracts the SNI value from the TLS handshake
Matches the SNI to the appropriate TLS configuration (including mTLS settings if configured)
Applies the matched TLS configuration for the connection
Routes the request to the proxy application based on the route pattern
Hostname-Based Routing: Proxy applications can use hostnames in their route patterns to ensure requests are routed correctly while leveraging the corresponding SNI TLS configuration. This enables scenarios where:
Different domains route to different upstream applications
Each domain uses its own TLS certificate and security policies
mTLS requirements vary by domain and application
Migration Guide
Existing Deployments:
Existing deployments with a single default TLS configuration continue to work without any changes
To enable SNI TLS for multiple domains, use the Maverics Console UI to add additional host-specific TLS configurations
Your existing default TLS configuration automatically becomes the default entry in the new SNI TLS system
UI Polish❤️
The new UI is now utilized by the LDAP attribute provider and Auth0 identity fabric.
Token minting OPA policies are now packaged as a distinct file within the bundle.
Enhancements have been made to error management when an SSO user tries to log in with incorrectly configured settings.